The biggest bottleneck in DeFi development

Author: Chloe, ChainCatcher

Last week, the Solana lending protocol Drift was hacked, resulting in approximately $285 million in user assets being stolen. According to official statements, this was not a typical smart contract vulnerability attack, but rather a six-month-long, meticulously planned social engineering attack by state-sponsored hackers.

There is even investigative evidence suggesting that the same group of threat actors may have already infiltrated the core development of multiple DeFi protocols, not as attackers, but as contributors.

North Korean hackers commonly infiltrate targets early, but rarely invest large sums of money

According to the statement regarding the Drift incident, the attackers' core strategy was to "become part of the ecosystem."

Starting in the fall of 2025, they disguised themselves as a quantitative trading company and began engaging with Drift's core contributors at major cryptocurrency industry conferences. This engagement was not a one-time occurrence, but rather a series of interactions spanning different countries and multiple conferences, conducted over six months. These individuals were technically proficient, had verifiable backgrounds, and were well-acquainted with how Drift operated.

Moreover, their interactions were not limited to Drift's core members. The team also took advantage of Drift's Ecosystem Vault's open mechanism to successfully list their own vault as a legitimate trading company, depositing over $1 million of their own funds, participating in multiple working meetings, and posing in-depth product questions, thereby solidifying trust with the project team.

Blockchain technology expert Steven, in an interview with ChainCatcher, stated: "North Korean hackers have been infiltrating targets early on, which is a common practice, but investing large sums of money as a basis for trust is relatively rare. However, for the attackers, this $1 million is essentially a risk-free investment; as long as they do not launch an attack, this money is just normal funds sitting in the vault, easily retrievable at any time; and the actual operations are conducted by unwitting third-party personnel, resulting in almost no economic loss to the organization itself."

Additionally, during their long-term collaboration with Drift, the team had shared code projects and applications stored on GitHub under the pretext of showcasing their own development tools. Given the circumstances at the time, it was entirely normal for partners to review each other's code. However, subsequent investigations by Drift revealed that one contributor had copied a GitHub code project containing malicious code, while another contributor was induced to download a TestFlight application disguised as a wallet product.

The reason this code project pathway is difficult to guard against is that it is fully embedded in the developers' daily workflow. When developers write code, they almost always use code editors like VSCode or Cursor, which can be thought of as an engineer's Word, something they open and use every day.

The security research community discovered a serious vulnerability in such editors by the end of 2025: when developers opened code projects shared by others, the hidden malicious instructions within the projects would automatically execute in the background, with the entire process being completely stealthy—no confirmation windows would pop up, no clicks were needed to agree, and there were no warnings. Developers believed they were merely "looking at code," but their computers had actually been implanted with backdoors. The attackers exploited this vulnerability to hide malware within the daily operations that developers routinely performed.

By the time the Drift attack occurred on April 1, the attackers' Telegram chat records and all traces of malware had been completely erased, leaving behind a $285 million gap.

Is Drift just the tip of the iceberg?

According to an investigation by the emergency security response organization SEAL 911 in the cryptocurrency industry, this attack was carried out by the same group of threat actors responsible for the Radiant Capital hack in October 2024. The connections include on-chain fund flows (the funds used to prepare and test this operation trace back to the Radiant attackers) and operational patterns (the personas deployed in this operation show identifiable overlaps with known North Korean activities). The well-known security forensics company Mandiant (now part of Google), which was hired by Drift, had previously attributed the Radiant incident to the North Korean state-affiliated organization UNC4736, but Mandiant has not yet formally attributed the Drift incident, and complete device forensics are still ongoing.

Notably, the individuals who personally attended the meetings were not North Korean nationals. Steven stated: "North Korean hackers should not be viewed as a typical hacking organization, but rather as an intelligence agency; it is a large organization with thousands of people and clearly defined roles. Among them, the North Korean hacker Lazarus is formally designated as APT38 in the international security field, while another affiliated organization, Kimsuky, is designated as APT43."

This explains why they are able to deploy real people offline. They establish companies overseas under various names, recruiting local personnel who may not even be aware of whom they are working for. "He might think he has joined a normal remote working company, and after a year is sent to meet a client, everything seems normal, but behind it is a hacking organization. When law enforcement comes to investigate, that person knows nothing."

Now, Drift may just be the tip of the iceberg.

If the Drift incident reveals a vulnerability in a single protocol, subsequent investigations point to a larger issue: the same methods may have been operating throughout the entire DeFi ecosystem for years.

According to blockchain researcher Tayvano's investigation, since the rapid expansion of DeFi in 2020, code contributions associated with North Korean IT workers have spread across multiple well-known projects, including SushiSwap, THORChain, Harmony, Ankr, and Yearn Finance.

The methods employed by these individuals are strikingly similar to those in the Drift incident: using fake identities, obtaining development roles through freelance platforms and direct contacts, entering Discord channels, developer communities, and even attending developer meetings. Once inside the project, they contribute code, participate in development cycles, and build trust with the team until they understand the entire protocol architecture, waiting for the right moment to act.

Steven believes that in traditional intelligence agencies, they could even lie in wait for a lifetime, with the next generation continuing the unfinished tasks of the previous one. For them, Web3 projects are short-term and high-reward, and the nature of remote work allows one person to hold multiple roles across various projects, which is quite common in the Web3 industry and does not raise suspicion.

"The North Korean hacker organization will include all Web3 projects in their attack scope, meticulously screening each project and gathering information about team members. Their understanding of the projects is often greater than that of the project teams themselves," Steven said. The reason Web3 has become a primary target is that this ecosystem has a large amount of capital, lacks unified global regulation, and the prevalence of remote work makes it difficult to verify the true identities of collaborators and employees. Additionally, the generally young and inexperienced nature of the workforce provides an ideal infiltration environment for North Korean intelligence agencies.

Hacking incidents are common, and project teams can only wait passively?

Looking back at major incidents in recent years, social engineering has always been a core tactic of North Korean hacker groups. Recently, Binance founder CZ's memoir "Binance Life" was released, which recounts the incident in May 2019 when Binance was hacked for 7,000 bitcoins. According to CZ, the hackers first infiltrated the laptops of several employees using advanced malware, then implanted malicious instructions at the final step of the withdrawal process, stealing all 7,000 bitcoins from the hot wallet at 1 a.m. (worth about $40 million at the time). CZ wrote in the book that, based on the attack methods, the hackers had been lurking in the Binance network for some time and were highly suspected to be from North Korea's Lazarus group, and they may have even bribed internal employees.

The 2022 Ronin Network incident is also a classic case. Ronin is the sidechain behind the popular blockchain game Axie Infinity, responsible for handling all cross-chain transfers of in-game assets, and at the time, the locked funds were substantial. The attack was triggered when a developer received a seemingly high-paying job invitation from a well-known company, and during the interview process, downloaded a file containing malicious software, allowing the attackers to gain internal system access and ultimately steal $625 million.

The 2023 CoinsPaid incident employed a nearly identical method. CoinsPaid is a service provider for cryptocurrency payments, and the attackers similarly approached employees through a fake recruitment process, inducing them to install malware before infiltrating the system. More recent hacking tactics have become even more diverse: fake video calls, compromised social accounts, and malware disguised as meeting software.

Victims received seemingly normal Calendly meeting links, and upon clicking, were guided to install a fake meeting application, allowing the malware to steal wallets, passwords, recovery phrases, and communication records. It is estimated that through such methods, North Korean hacker groups have stolen over $300 million.

At the same time, the ultimate destination of the stolen funds is also worth noting. Steven stated that the stolen funds ultimately fall under the control of the North Korean government. Money laundering is carried out by a dedicated team within the organization, which sets up mixers and opens accounts under fake identities at numerous exchanges, following a complete and complex process: the funds are cleaned through mixers immediately after being stolen, then converted into privacy coins, and subsequently transferred across different DeFi projects, circulating repeatedly between exchanges and DeFi.

"The entire process is completed within about 30 days, with the final funds ending up in casinos in Southeast Asia, small exchanges that do not require KYC, and OTC service providers in Hong Kong and Southeast Asia, where they are cashed out."

So, in the face of this new threat model, where the adversaries are not only attackers but also participants, how should the cryptocurrency industry respond?

Steven believes that project teams managing large amounts of funds should hire professional security teams, establish dedicated security positions within the team, and ensure that all core members strictly adhere to security protocols. It is especially important that development devices and devices responsible for financial signatures maintain strict physical isolation. He specifically mentioned that a key issue in the Drift incident was the cancellation of the time-lock buffer mechanism, "which should never be canceled at any time."

However, he also admitted that if North Korean intelligence agencies truly want to infiltrate deeply, even rigorous background checks would be difficult to fully identify. But bringing in a security team is still crucial. He suggests that project teams introduce a blue team (the defensive side in cybersecurity), as the blue team can not only assist in enhancing the security of devices and behaviors but also continuously monitor key nodes. If any abnormal fluctuations occur, they can detect attacks and respond immediately. "Relying solely on the project team's own security capabilities is insufficient to withstand this level of attack."

He also added that North Korea's cyber warfare capabilities rank among the top five in the world, second only to the United States, Russia, China, and Israel. In the face of such a formidable opponent, merely relying on code audits is far from enough.

Conclusion

The Drift incident proves that the greatest threats facing DeFi today are not just market conditions or liquidity; in terms of security, it is not only about preventing code vulnerabilities, because spies may be hiding right beside us.

When attackers are willing to spend six months and invest millions of dollars to cultivate a relationship, traditional code audits and security defenses are simply inadequate. And according to existing investigations, this set of methods has likely been operating in multiple projects for years, just not yet discovered.

Whether DeFi can maintain decentralization and openness is no longer the core issue; the real question is: can it resist the infiltration of those well-packaged adversaries while remaining open?